Sign in to follow this  
cwwllcadaware

Browser Hijacked

Recommended Posts

Ok, I figured it was the Qoo infection.

 

It's ok for this scan to do in normal mode only because I just need the log (and we aren't cleaning with that tool) But, I thought you said you couldn't get into safe mode? I guess you can now get into safe mode? Was the Bit Defender scan in safe mode?

Share this post


Link to post
Share on other sites

I can get into Safe Mode fine. My problem was starting BitDefender in safe mode. Their support team told me that it must be started using the command prompt, which was confusing (see instructions link: http://kb.bitdefender.com/site/viewArticle...nd_Prompt.html). That is why I ran BitDefender in normal mode. The only mode I could get it to start in.

 

The scan is still running.

Share this post


Link to post
Share on other sites

So far, with all the logs that I've posted do you think any of my MS Office files have been corrupted/compromised? Would opening any of them infect them or compromise them, etc..

Share this post


Link to post
Share on other sites

MWAV finished scanning. However, I am unable to open the log file. It is too large for Notepad and when it attempts to open it in WordPad it freezes. I'm not sure what to do next. If I click OK and close the program will it save a log onto the harddrive? I'm not sure if it does.

 

It found the following:

 

Ttl Critical Objects: 41

Ttl Errors: 67

Share this post


Link to post
Share on other sites

Arrrgh, I wish I could remember with Windows98. Go ahead and click ok and see if a log was saved. If so, instead of opening try to upload to here:

http://www.thespykiller.co.uk/forum/index.php?topic=1909.0

(press reply and attach the log)

 

I'm feeling awful at my ineptness with Windows98 and trying to help you. I'll try to find someone who is more up to speed on Win98 than I am to step in here.

Share this post


Link to post
Share on other sites

I think you're doing great helping me and you are extremely receptive during these difficult times. I decided to re-run MWAV in safe mode. Hopefully this time I can open the log file.

Share this post


Link to post
Share on other sites

Finally, I got the MWAV log file, zipped (actual file is approx. 25MB). However, I am unable to upload it to the link directly from the A:\ drive. Does it have to be uploaded from the harddrive?

Share this post


Link to post
Share on other sites

I'm still going over this, but meanwhile found the fix tool for Qoologic for Windows 98. I think this should work on that one anyway

 

1, Please download QooFix9x and save it to your desktop.

http://swandog46.geekstogo.com/QooFix9x.exe

Do NOT run it yet.

 

2, Next, please reboot your computer in Safe Mode by doing the following:

 

3. Once in Safe Mode, please double-click QooFix9x.exe and unzip it to the desktop. Open the QooFix9x folder on your desktop and run RunThis.bat. If you get a warning about running MS-DOS programs in Safe Mode, please just click OK to continue. Follow the prompts.

 

4. When the tool is finished, please reboot back into normal mode, and post the entire contents of the log.txt file in the QooFix9x folder.

Share this post


Link to post
Share on other sites

Log of QooFix9x v1

 

************

 

Running from directory:

C:\My Documents\Hijack\QooFix9x\QooFix9x

 

************

 

Files found:

 

c:\windows\ungins.exe

c:\windows\geitqux.dll

c:\windows\system\unzdll.dll

c:\windows\guwwl.dat

 

************

 

Deleting files:

 

Deletion of c:\windows\ungins.exe succeeded!

Deletion of c:\windows\geitqux.dll succeeded!

Deletion of c:\windows\system\unzdll.dll succeeded!

Deletion of c:\windows\guwwl.dat succeeded!

 

************

 

Removing registry entries:

 

Done!

Backing up files:

 

Done!

 

Finished!

Share this post


Link to post
Share on other sites

Except, it would really help to see a HiackThis log and another log I want you to generate for me.

 

Download Silent runners here (follow the instructions on that page)

http://www.silentrunners.org/sr_scriptuse.html

 

If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.

Wait until there is a All Done message !!, Then open and post the log next to it.

 

Also, scan again with HijackThis and post a log from it as well

Share this post


Link to post
Share on other sites

I downloaded SilentRunner but when I double click on hit nothing happens at all (in normal mode). Not sure what to do next.

 

In the mean time, following is the latest HijackThis log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:25:42 PM, on 06/19/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE

C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE

C:\WINDOWS\AWISAM.EXE

C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [bitDefender Communicator] "C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe"

O4 - HKLM\..\RunServices: [bitDefender Scan Server] "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe"

O4 - HKLM\..\RunServices: [bitDefender Live! Init] "C:\Program Files\Softwin\BitDefender8\bdinit.exe"

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O4 - Startup: sfutg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

Share this post


Link to post
Share on other sites

Let's try this one

Would you please use HiJackThis to produce a startup list and post it here:

1. From HJT main screen, click 'Config' button

2. Click 'Misc Tools' button

3. Check both boxes to the right of 'Generate StartupList Log' button

4. Click 'Generate StartupList Log' button

5. Click 'Yes' in the next dialog

6. Save the log and post a copy in this thread.

Share this post


Link to post
Share on other sites

I will also post the HijackThis startup list log momentarily.

 

In the mean time, a friend recommended to try AVG. I just scanned it and following is the HijackThis Log.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:47:33 AM, on 06/20/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MDM.EXE

C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE

C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\VERITAS SOFTWARE\UPDATE MANAGER\SGTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [bitDefender Communicator] "C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe"

O4 - HKLM\..\RunServices: [bitDefender Scan Server] "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe"

O4 - HKLM\..\RunServices: [bitDefender Live! Init] "C:\Program Files\Softwin\BitDefender8\bdinit.exe"

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

Share this post


Link to post
Share on other sites

Great, that got what was visible. Can you post the AVG scan log?

 

I would suggest that you uninstall BitDefender because too many AVs running at the same time could cause the system to hang or conflicts.

Share this post


Link to post
Share on other sites

I just uploaded the event history logs (3 xml docs) from AVG at the other link.

 

I also partially (15% of the files) ran MWAV after running AVG to see where things were and found the following viruses:

 

Precisionpop Spyware/Adware found in File System

Smitfraud Browser Hijacker found in File System

File C:\Windows\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip infected by "Password-Protected-Exe" virus!

 

---------------

 

Following is the HTJ startup list:

 

StartupList report, 06/20/2006, 11:16:28 AM

StartupList version: 1.52.2

Started from : C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

Detected: Windows 98 SE (Win9x 4.10.2222A)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\WINDOWS\Start Menu\Programs\StartUp]

Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]

*No files*

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ScanRegistry = c:\windows\scanregw.exe /autorun

TaskMonitor = c:\windows\taskmon.exe

SystemTray = SysTray.Exe

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE

TPP Auto Loader = C:\WINDOWS\TPPALDR.EXE

EnsoniqMixer = starter.exe

POINTER = C:\Program Files\Microsoft Hardware\Mouse\point32.exe

ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

AVG7_CC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

winmodem = WINMODEM.101\wmexe.exe

SchedulingAgent = mstask.exe

ccEvtMgr = "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = c:\windows\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[setupcPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf

 

[AppletsPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf

 

[FontsPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf

 

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

 

[PerUser_ICW_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

 

[>PerUser_MSN_Clean] *

StubPath = c:\windows\msnmgsr1.exe

 

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *

StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

 

[PerUser_Msinfo] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf

 

[PerUser_Msinfo2] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf

 

[MotownMmsysPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf

 

[MotownAvivideoPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf

 

[MotownMPlayPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf

 

[PerUser_Base] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf

 

[shellPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf

 

[shell2PerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf

 

[PerUser_winbase_Links] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf

 

[PerUser_winapps_Links] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf

 

[PerUser_LinkBar_URLs] *

StubPath = c:\windows\COMMAND\sulfnbk.exe /L

 

[TapiPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf

 

[PerUserOldLinks] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf

 

[MmoptRegisterPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf

 

[OlsPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf

 

[OlsMsnPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf

 

[PerUser_Paint_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf

 

[PerUser_Calc_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf

 

[PerUser_dxxspace_Links] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf

 

[PerUser_MSBackup_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf

 

[PerUser_CVT_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf

 

[PerUser_Enable_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf

 

[MotownRecPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf

 

[PerUser_Vol] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf

 

[PerUser_MSWordPad_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf

 

[PerUser_RNA_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf

 

[PerUser_Wingames_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_Sysmon_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_Sysmeter_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_netwatch_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_CharMap_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_Onlinelnks_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_Dialer_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf

 

[PerUser_ClipBrd_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf

 

[MmoptMusicaPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf

 

[MmoptJunglePerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf

 

[MmoptRobotzPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf

 

[MmoptUtopiaPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf

 

[PerUser_CDPlayer_Inis] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

 

[OlsAolPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf

 

[OlsAttPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf

 

[OlsCompuservePerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf

 

[OlsProdigyPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf

 

[shell3PerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf

 

[Theme_Windows_PerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf

 

[Theme_MoreWindows_PerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf

 

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wpie5x86.inf,PerUserStub

 

[>IEPerUser] *

StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

 

[Chl99] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser

 

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *

StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

 

[NetservrPerUser] *

StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 c:\windows\INF\netservr.inf

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=

run=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=Explorer.exe

SCRNSAVE.EXE=

drivers=mmsystem.dll power.drv

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

C:\WINDOWS\WININIT.INI listing:

 

*File not found*

 

--------------------------------------------------

 

C:\WINDOWS\WININIT.BAK listing:

(Created 18/6/2006, 20:57:32)

 

[Rename]

NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

NUL=C:\WINDOWS\COOKIES\INDEX.DAT

 

--------------------------------------------------

 

C:\AUTOEXEC.BAT listing:

 

C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE

SET BLASTER=A220 I7 D1 H7 P330 T6

SET SBPCI=C:\SBPCI

REM [Header]

ECHO OFF

REM [CD-ROM Drive]

REM [Miscellaneous]

REM [Display]

 

--------------------------------------------------

 

C:\CONFIG.SYS listing:

 

REM [Header]

REM == PISETUP Begin Delete ==

REM == PISETUP End Delete ==

REM [CD-ROM Drive]

REM [Miscellaneous]

REM [Display]

 

--------------------------------------------------

 

C:\WINDOWS\WINSTART.BAT listing:

 

*File not found*

 

--------------------------------------------------

 

C:\WINDOWS\DOSSTART.BAT listing:

 

echo off

REM Notes:

REM DOSSTART.BAT is run whenenver you choose "Restart the computer

REM in MS-DOS mode" from the Shutdown menu in Windows. It allows

REM you to load programs that you might not want loaded in Windows,

REM (because they have functional equivalents) but that you do

REM want loaded under MS-DOS. The two primary candidates for

REM this are MSCDEX and a real mode driver for the mouse you ship

REM with your system. Commands that you want present in both Windows

REM and MS-DOS should be placed in the Autoexec.bat in the

REM \Image directory of your reference server. Please note that for

REM MSCDEX you will need to load the corresponding real-mode CD

REM driver in Config.sys. This driver won't be used by Windows 98

REM but will be available prior to and after Windows 98 exits.

REM

REM This file is also helpful if you want to F8 boot into MS-DOS 7.0

REM before Windows loads and access the CD-ROM. All you have to do

REM is press F8 and then run DOSSTART to load MSCDEX and your real

REM mode mouse driver (no need to remember the command line parameters

REM for these two files.

REM

REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.

REM - The string following the /D: statement must explicitly match

REM the string in CONFIG.SYS following your CD-ROM device driver.

REM MSCDEX.EXE /D:OEMCD001 /l:d

REM MOUSE.EXE

C:\SBPCI\SBINIT

LH C:\PROGRA~1\MICROS~5\MOUSE\MOUSE.EXE

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Tune-up Application Start.job

Symantec NetDetect.job

Norton AntiVirus - Scan my computer.job

Gateway1BackupMyPCMainBackup032704.job

Gateway1FullBackup050705.job

Gateway1NewandChanged050705.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[Microsoft XML Parser for Java]

CODEBASE = file://c:\windows\Java\classes\xmldso4.cab

OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[DirectAnimation Java Classes]

CODEBASE = file://c:\windows\SYSTEM\dajava.cab

OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

 

[internet Explorer Classes for Java]

CODEBASE = file://c:\windows\SYSTEM\iejava.cab

OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

 

[update Class]

InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8070.5210648148

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL

CODEBASE = http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[{31564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/wmvax.cab

 

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

 

[{0000000A-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/d/4...0367/wmavax.CAB

 

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

 

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: c:\windows\SYSTEM\rnr20.dll

Protocol #1: c:\windows\SYSTEM\mswsosp.dll

Protocol #2: c:\windows\SYSTEM\msafd.dll

Protocol #3: c:\windows\SYSTEM\msafd.dll

Protocol #4: c:\windows\SYSTEM\msafd.dll

Protocol #5: c:\windows\SYSTEM\rsvpsp.dll

Protocol #6: c:\windows\SYSTEM\rsvpsp.dll

 

--------------------------------------------------

 

Enumerating Win9x VxD services:

 

VNETSUP: vnetsup.vxd

NDIS: ndis.vxd,ndis2sup.vxd

JAVASUP: JAVASUP.VXD

CONFIGMG: *CONFIGMG

NTKern: *NTKERN

VWIN32: *VWIN32

VFBACKUP: *VFBACKUP

VCOMM: *VCOMM

IFSMGR: *IFSMGR

IOS: *IOS

MTRR: *mtrr

SPOOLER: *SPOOLER

UDF: *UDF

VFAT: *VFAT

VCACHE: *VCACHE

VCOND: *VCOND

VCDFSD: *VCDFSD

VXDLDR: *VXDLDR

VDEF: *VDEF

VPICD: *VPICD

VTD: *VTD

REBOOT: *REBOOT

VDMAD: *VDMAD

VSD: *VSD

V86MMGR: *V86MMGR

PAGESWAP: *PAGESWAP

DOSMGR: *DOSMGR

VMPOLL: *VMPOLL

SHELL: *SHELL

PARITY: *PARITY

BIOSXLAT: *BIOSXLAT

VMCPD: *VMCPD

VTDAPI: *VTDAPI

PERF: *PERF

VRTWD: c:\windows\SYSTEM\vrtwd.386

VFIXD: c:\windows\SYSTEM\vfixd.vxd

VNETBIOS: vnetbios.vxd

VREDIR: vredir.vxd

DFS: dfs.vxd

NDISWAN: ndiswan.vxd

TurboVBF: turbovbf.vxd

VSERVER: vserver.vxd

SYMTDI: SYMTDI.VXD

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

End of report, 26,713 bytes

Report generated in 0.957 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

That all looks pretty good.

 

I'm not real sure about the Precisionpop file, it could be a false positive

That was this file. Could you put a copy at the upload site so I can check it first?

 

C:\WINDOWS\starter.exe

 

Upload site, your thread:

http://www.thespykiller.co.uk/forum/index.php?topic=1909.0

...............................

 

This is ok - already quarantined by Spybot

Smitfraud Browser Hijacker found in File System

File C:\Windows\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip infected by "Password-Protected-Exe" virus!

..................

Make sure your PC is configured to show hidden files

How to Show Hidden Files

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Check to see if any of these exist and if found, delete them

 

C:\WINDOWS\awisam.exe

 

C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe

 

C:\WINDOWS\bcgbkrm.exe

 

C:\WINDOWS\guwwl.dat

 

C:\WINDOWS\qhyxy.exe

 

C:\WINDOWS\geitqux.dll

 

C:\Program Files\Common Files\svchostsys (folder) - delete entire folder, if found

 

C:\Program Files\Common Files\simtest (folder) - delete entire folder, if found

 

C:\wd7gi8n.exe

 

C:\Trelew.exe

 

C:\SS1001.exe

 

C:\stub_sca3.exe

 

C:\Mendoza1.exe

 

Then, let me know what symptoms if any you see on your end that may remain

Share this post


Link to post
Share on other sites

I just uploaded the Starter.exe file at the other link.

 

I was able to find some but not all of the following files:

 

Did Not Find! Instead, I Found & Deleted: Awizam.lgc

C:\WINDOWS\awisam.exe

 

Did Not Find! Instead, I Found & Deleted: sfutg.lgc

C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe

 

Did Not Find!

C:\WINDOWS\bcgbkrm.exe

 

Did Not Find!

C:\WINDOWS\guwwl.dat

 

Did Not Find!

C:\WINDOWS\qhyxy.exe

 

Did Not Find!

C:\WINDOWS\geitqux.dll

 

Found & Deleted!

C:\Program Files\Common Files\svchostsys (folder) - delete entire folder, if found

 

Found & Deleted!

C:\Program Files\Common Files\simtest (folder) - delete entire folder, if found

 

Did Not Find!

C:\wd7gi8n.exe

 

Found & Deleted!

C:\Trelew.exe

 

Did Not Find!

C:\SS1001.exe

 

Found & Deleted!

C:\stub_sca3.exe

 

Found & Deleted!

C:\Mendoza1.exe

Share this post


Link to post
Share on other sites

I am scanning with MWAV again and so far (at approx. 5%) it found the following:

 

Precisionpop Spyware/Adware found in File System

Smitfraud Browser Hijacker found in File System

Share this post


Link to post
Share on other sites
I am scanning with MWAV again and so far (at approx. 5%) it found the following:

 

Precisionpop Spyware/Adware found in File System

Smitfraud Browser Hijacker found in File System

That PrecisionPop is a False positive.

 

Starter.exe is a legitimate file that belongs to Creative Technologies (Not precisionpop)

Description:

starter.exe is installed alongside Creative Labs Ensoniq Mixer and provides added functionality to the default Windows volume facility.

 

And it scanned clean by a dozen or more Antivirus programs :)Please do not delete Starter.exe

File: Starter.exe

Status:

OK

MD5 768978e0a8cf41212bbb87edf8d3a070

Packers detected:

-

Scanner results

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

UNA

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

.........................................

The other one (Smitfraud in System File, is the one in Spybot Quarantine - so already quarantined where it cannot run)

 

I really think we have got this PC as clean as possible of anything dangerous and no further danger of being online or using your MS documents etc.

 

Might be a good idea to abort to the MWAV scan (it's days old now anyway) and get an online scan at

Kaspersky free online scanner.

http://www.kaspersky.com/virusscanner

 

Save the log at the end post it at the upload site :angry:

Share this post


Link to post
Share on other sites
Sign in to follow this